We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services but, this time, we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) is growing at an impressive 83 percent year over year but generally receives less focus than AWS and Azure.
We can use some of our best practice cloud security knowledge to outline some fundamental steps for keeping Google Cloud Platform secure.
1. Identity and Access Management
A general rule of thumb is to use managed corporate credentials for your Google Cloud Platform accounts instead of personal Gmail accounts. This helps ensure complete visibility and control of the account, as well as continuity of service in the event of personnel changes.
Additionally, as always, your GCP credentials should have multi-factor authentication enabled to combat the threat of breached or weak credentials.
Google allows for multiple projects within GCP with separate access control and billing accountability. Using multiple separate projects can help segment your resources, so that the compromise of one machine or account does not put resources in another project in jeopardy.
2. Network Security
A first priority should be the removal of the “default” Virtual Private Cloud (VPC) network. Creating your own network will give greater awareness of just what exactly you are allowing in and out of your VPC network. The default network allows access to some internal GCP networks, as well as global SSH and RDP access.
It is critical to limit your exposure to brute force attacks. Limit attack surface area by removing global SSH and RDP access. When you define your own VPC network, take care to not allow access to port 22 or 3389 from the open internet (0.0.0.0).
It is always wise to use traditional network security best practices in your deployments in order to prevent and detect attacks or breaches. Perform frequent vulnerability audits on your cloud network and assets with a vulnerability management product.
It is important to create a comprehensive logging policy within your cloud platform to help with auditing and compliance.
Access logging should be enabled on storage buckets so that you have an easily accessible log of object access. Administrator audit logs are created by default, but you should enable Data Access logs for Data Writes in all services.
The Stackdriver logging mechanism only stores logs for a limited time. You should create a log export sink with no filter in order to archive all logs for an extended period.
More information on logging configuration can be found here.
Google Cloud Platform provides the ability to create managed MySQL and PostgreSQL database instances in which Google takes care of security patches; however, there are still configuration options which should be set if you are using the database feature.
By default, SSL is not required. All databases should be configured to require SSL connections to foil snooping and man-in-the-middle attacks.
When starting a new MySQL database, it is possible to create it without a root (admin) password. You absolutely must enable a root password for all MySQL databases.
As in the networking section, again you should not allow ingress to your databases from the global internet. Do not allow 0.0.0.0 or /0 when creating authorized networks for your databases. Similarly, MySQL should not allow root users to connect from 0.0.0.0.
We would be remiss not to mention paying attention to storage bucket access after so many news reports of online storage data dumps. The Google Cloud Platform Console does not present obvious warnings when buckets have anonymous or public access, so it is important to monitor these settings. Ensure neither allUsers nor allAuthenticatedUsers has access on buckets or objects where it is not needed. In this case, “allAuthenticatedUsers” means anyone with a Google account, which is equivalent to everyone.
You may also consider enabling object versioning to protect yourself from unintended overwrites.
6. Virtual Machines
One unique Google Cloud Platform function is the interactive serial port capability, but unfortunately, the interactive serial console does not support IP-based access restriction and allows connections from any IP address. This function should remain disabled, as it allows for brute force login attacks.
Securing virtual machines in the cloud requires many of the same controls as in your local environment. Run network security scans, anti-malware apps, and keep track of changes with file integrity monitoring and change management.
7. Google App Engine
Google Cloud Platform provides the Cloud Security Scanner which provides detection of common vulnerabilities such as cross site scripting (XSS), flash injection, and insecure library usage. These free scans of your App engine websites can be run both before and after you enter production, so it is an easy win on your road to increasing security in your DevOps process.
Are you working with Google Cloud Platform?
These fundamentals apply to any project implemented within Google Cloud Platform and can be expanded on and tailored to individual installations. More information can be found in the Center for Internet Security Google Cloud Platform Foundation Benchmark. The CIS benchmark provides guidance on best practice configurations for your Google Cloud Platform environment.
Tripwire has recently released version 4.2.0 of the Cloud Management Assessor, an integration for Tripwire Enterprise which helps you monitor the security state of your Google Cloud Platform, Amazon Web Services, or Microsoft Azure deployments by collecting and analyzing cloud configuration data. You can monitor your Google, AWS, or Azure accounts for configuration changes right alongside the security monitoring of cloud and on-premises assets.
To learn more about Tripwire’s Cloud Management Assessor, click here.